IBM Power Systems Platform IBM System i and i5/os Data Encryption Options

IBM Power Systems Platform

IBM System i and i5/OS

Data Encryption Options

Sue Baker

IBM Advanced Technical Support

Rochester, MN

Agenda

ƒ Why is Encryption Hot in the Marketplace Today?

ƒ Alternatives for Encryption on IBM System i and i5/OS

– Encrypt Data in your Database/Application – Encrypt Data using Middleware

– Encrypting Data via an Encrypted ASP – V6R1 – Encrypt Data via Tape Appliances

– Encrypting Data via Tape Drives with Built-in Encryption – Overview of Encryption Solution on IBM Tape Drives – The Encryption Key Manager (EKM)

– BRMS and Tape Encryption – Encryption - How to get Started

Tape and Data Encryption

In the News

TAPES LOST!

Privacy Commission

Contacted

In a move that could fuel efforts to change data storage practices, records management provider ABC Co has admitted losing a customer’s backup tapes and is recommending that customers begin encrypting tapes.

Although data encryption is not a new issue, it is a growing business security focus. Increased awareness of customer privacy, an increase in identity theft crimes, and more technical savvy criminals are all contributing.

New state, federal and industry regulations to protect personal data, credit card numbers, etc, are making this an issue of interest to many

ƒ Many government agencies are requiring

disclosure of security breaches

– 38 states have enacted legislation requiring notification in cases of security breaches

• Source: www.Privacyrights.org

– Similar federal legislation has been proposed

• Source: http://www.epic.org/privacy/bill_track.html

ƒ Industry organizations are also increasing

scrutiny of security procedures

• Source: Payment Card Industry Security Audit Procedures Version 1

ƒ Over 90 million consumers have been

notified of potential security breaches

regarding personal information since 2/2005

• Source: www.Privacyrights.org

Customer Data

EXPOSED!!

Tape and Data Encryption

ƒ Many government agencies are requiring

disclosure of security breaches

– 38 states have enacted legislation requiring notification in cases of security breaches

• Source: www.Privacyrights.org

– Similar federal legislation has been proposed

• Source: http://www.epic.org/privacy/bill_track.html

ƒ Industry organizations are also increasing

scrutiny of security procedures

• Source: Payment Card Industry Security Audit Procedures Version 1

ƒ Over 90 million consumers have been

notified of potential security breaches

regarding personal information since 2/2005

• Source: www.Privacyrights.org

Customer Data

EXPOSED!!

Costs from Security Breach

Direct Costs

- Fines and penalties - Customer notification

- letters - postage - hotline

- credit checks - Public Relations costs - Legal Actions

Indirect Costs

- Loss of reputation

- Loss of customer goodwill

Techniques for Encrypting Data on System i

Encrypt using IBM or 3rd _party middleware for selected objects Database Encrypted Copy Encrypt sensitive data directly in SQL table columns or via application use of cryptographic APIs Encrypted Fields Encrypted Data Appl. Encrypt using 3rd party appliance between server and Database Encrypt using a tape drive with built-in tape encryption Database Encryption of data at rest in an ASP Encrypted ASP/iASP

i5/OS V6R1 Enhancements

ƒ i5/OS V6R1 cryptographic key management

enhancements

ƒ Encrypted BRMS backups of user data to tape or virtual

tape

ƒ Encryption of data residing in an ASP (user and

independent)

Announce 1/29/08 GA 3/21/08

Encrypting Data in your Database/Application

Java Crypto Extensions (API’s) 4764 Crypto Co-Processor and API’s i5/OS Crypto API’s DB2 Column Encryption

Four methods to choose from:

• DB2 column encryption (V5R3 onwards)

• i5/OS cryptographic API’s (V5R3 onwards)

• Java cryptographic extensions (API’s)

• 4764 cryptographic co-processor and API’s

_{these in more}

Let’s look at

detail!

Encrypting Data in your Database/Application

DB2 column encryption

• Built-in to i5/OS from V5R3 onwards

• Native DB2: use “Before Insert” and “Update”

triggers

• SQL: use SQL functions and “Instead of” triggers

• Details available in the i5/OS Information Center

DB2 Column Encryption

Encrypting Data in your Database/Application

DB2 Column Encryption

Encryption Services Provided

i5/OS cryptographic API’s

• Built-in to i5/OS from V5R3 onwards

• Called by an application program

• Use industry standard encryption algorithms

• V5R3: Application must handle keys

• V5R4: Key Mgmt APIs store master keys below

the Machine Interface (MI) – i.e., never in the clear

in the application

i5/OS Crypto API’s

Encrypting Data in your Database/Application – V6R1

Announce 1/29/08 GA 3/21/08

ƒ i5/OS V6R1 cryptographic key management enhancements

– GUI and CL interface to manage master keys • New master key for ASP encryption (256 bit) • New master key for save/restore (256 bit)

Encrypting Data in your Database/Application – V6R1

Announce 1/29/08 GA 3/21/08

ƒ i5/OS V6R1 cryptographic key management enhancements

– Save/restore of software master keys

– Improved SSL acceleration using the 4764 Cryptographic coprocessor – New algorithm modes

Encrypting Data in your Database/Application

DB2 Column Encryption i5/OS Crypto API’s Encryption Services Provided

Java cryptographic extensions (API’s)

• JCE for short

• Part of i5/OS Developer Toolkit for Java (5722-JV1)

• Similar services to i5/OS crypto APIs

• Adds Digital Signature Algorithm (seldom used)

• Application must manage/store encryption keys

Java Crypto Extensions

Encrypting Data in your Database/Application

DB2 Column Encryption i5/OS Crypto API’s Java Crypto Extensions (API’s) 4764 Crypto Co-Processor and API’s Encryption Services Provided

4764 cryptographic co-processor and API’s

• Orderable hardware feature

• Application program calls the APIs to access the

encryption functions of the co-processor

• API’s standard across platforms

• Main advantage: key is stored in hardware

Protecting i5/OS Data with Encryption Whitepaper

Great whitepaper that came out last year

Protecting i5/OS Data with Encryption Redbook

New Redbook currently in a draft

Non-IBM Middleware for Encryption

Encrypt then

save/transmit

Tape Management

Systems

Encryption Tools

File A File A’ File A Tape Mgmt System Tools

Benefits:

• Typically low cost

• Good for small amount

of data to encrypt

and/or long backup

Example:

Records can grow when

they are encrypted.

Tools/techniques are

available to help

.

Watch for:

• Performance

• Extra disk required

• Key management

functions

Non-IBM Middleware for Encryption

Encrypt then

save/transmit

Tape Management

Systems

Encryption Tools

File A File A’ File A Tape Mgmt System Tools

ƒ Multiple vendors offer System i software-based encryption products, and

many offer trial downloads of their product so that application functionality

can be explored. Examples include:

ƒ Help/Systems

–http://www.helpsystems.com/ops/save.html

ƒ Linoma Software

–http://www.linomasoftware.com/products/transferanywhere

ƒ Patrick Townsend & Associates, Inc

–http://www.patownsend.com/AES.htm

ƒ PKWARE, Inc

–http://www.pkware.com/index.php?option=com_content&task=view&id=37&Itemid=84

ƒ NuBridges

–http://www.nubridges.com/

Announce 1/29/08 GA 3/21/08

IBM Middleware for Encryption – V6R1

ƒ Encrypted BRMS backups of user data to tape or virtual tape

– Encrypted Backup Enablement – i5/OS Option 44 – This is a priced option

ƒ BRMS enabled encryption will be supported for:

– Any tape library

– Standalone tape drive – Virtual tape

– Media duplication

ƒ What can be encrypted?

– All user data

– The operating system cannot be encrypted – Tape labels will not be encrypted

ƒ Performance considerations

ƒ New in i5/OS V6R1, encryption of data residing in an ASP (user and

independent)

– Encrypted ASP Enablement – i5/OS Option 45 – This is a priced option

Encryption of Data at Rest on Disk – V6R1

Announce 1/29/08 GA 3/21/08

Encryption of Data at Rest on Disk – V6R1

ƒ Meet regulatory requirements being imposed on our customers

ƒ Reduce or eliminate the need for application providers to encrypt data

ƒ Provide a more secure solution to help protect data

– Key management done by the system

ƒ Encryption of data at rest

– Software solution

– Minimal key management requirements

ƒ Threats

– Protection of ‘data in flight’ to SAN

– Protection of ‘data in flight’ in cross-site mirroring environment – Data loss

• Physical loss of a disk drive (switched ASP)

Implementation Approach – V6R1

ƒ Provide the capability to encrypt all data residing on an ASP

ƒ Cryptographic keys will be stored in software but protected by “isolated”

storage and master keys

ƒ Minimal change required to an application

– ASP level changes may be required

ƒ Encryption/Decryption done at low level in SW

– Storage Management in LIC (Write and Read to/from disk)

ƒ Encryption keys, for switched ASPs, stored in the Independent ASP, protected

by the master key in the system ASP

ƒ Encryption keys for encrypted User ASP stored in the system ASP

ƒ AES (Advanced Encryption Standard) algorithm

ƒ Randomly generated 256 bit encryption keys (for both independent and user

Restrictions in V6R1

ƒ Encryption decision must be specified during ASP configuration. No

option to turn on/off encryption after configuration

ƒ Master keys can be changed by the system administrator

ƒ No option to change data encryption keys after configuration

ASP2

ASP1

ASP-Master-Key-Sys-1

‘DATA-KEY1

‘DATA-KEY2

_‘DATA-KEY3

ASP3

System ASP

Data Data Data

ASP Key Management – Independent ASP – V6R1

ƒ Master Key, in system ASP, protects data encryption key stored on the IASP ƒ Data encryption key is unique for each IASP

ASP2

ASP1

ASP-Data-Key1

ASP3

System ASP

Data Data Data

ASP Key Management – User ASP – V6R1

ƒ Data encryption key is stored in the system ASP

Encryption Performance – V6R1

ƒ Encryption is CPU intensive

ƒ Certain types of applications can perform well, others may have problems

– Encrypting/decrypting many pages (objects) when CPU bound will be a problem

– Encrypting/decrypting many pages (objects) when CPU capacity is available will NOT be a problem

– Disk paging rate of the application will determine feasibility

ƒ AES Algorithm

– ~85MB per second on single dedicated POWER5 processor

Non-IBM External Tape Encryption Appliances

SAN

Switch

Tape

Drive

System i

Encryption

Appliance

Benefits

• Don’t need latest

tape drives

Watch For

• Performance,

especially if

appliance encrypts

prior to compaction

• Recovery/alternate

IPL testing

• Key management

Decru, Inc http://www.decru.com/products/dsSseries.htm

NeoScale Systems, Inc

Internal Drives

Current IBM Tape Product Line for System i

ƒ Low cost

ƒ Good capacity

ƒ Good speed

ƒ Low cost

ƒ High capacity

ƒ Fast streaming

ƒ High performance

ƒ High capacity

ƒ Industrial strength

VXA QIC

LTO Family

Enterprise

Family

DAT 72 Half High LTO-2 NEW in 2007 TS3500 TS3310 TS3100 TS2340 TS3200 LTO4 new in 2007 TS3400 TS1120 NEW in 2007

3580 TS2340 TS3500 / 3584 3582 TS3200 3583 TS3310 3581 TS3100

LTO Ultrium Tape Family

3584 3576 3573-L4U 3573-L2U 3580 Machine Name Yes Yes Yes Yes Yes No No No No Partition Capable >6200 72 396 24 44+3 7 or 8 (*) 22+1 1 1 Max # Cartridges 192 6 18 2 2 1 1 1 1 Max # drives 3584 TS3500 3583 TS3310 3582 TS3200 3581 TS3100 3580 TS2340

placed in the current LTO tape family devices ƒTS2340 ƒTS3100 ƒTS3200 ƒTS3310 ƒTS3500 LTO4 new in 2007 TS2340 does NOT support encryption on System i

Encryption is supported for FIBRE LTO4 drives in the

TS3400

TS3500

TS1120 Standalone Drive

Enterprise Tape Family

3584 3577-L5U 3592-E05 Machine Name No (for TS1120) No No LVD Drives Yes Yes No Partition Capable >6200 18 1 Max # Cartridges 192 2 1 Max # drives TS3500 TS3400 TS1120 Standalone Encryption is supported for TS1120 drives in the

TS3400 and TS3500 (and 3494), but not

standalone drives NEW in

Encryption Methods

Library-Managed (LME)__

TS3500, TS3400, TS3310___

TS3200, TS3100, 3494___

System-Managed (SME) .

z/OS, AIX, Solaris

Windows & Linux

Application-Managed (AME)

(TSM Only)

System i Tape Encryption on IBM Tape Drives

Encryption Key Manager (EKM) Server

System i

LTO4 or TS1120 Drives in a Tape Library

Components

• Encryption capable tape drive(s) – fibre LTO4 or TS1120 • A tape library – TS3100/3200/3310, TS3400, TS3500, 3494

How does it work?

• System i sends the backup to the tape library

• If the drive has encryption turned on, then the library gets the keys from the EKM

• The drive/library writes the save • BRMS is

recommended to keep encrypted/non-encrypted tapes

Encryption Key Manager (EKM) Server

The Encryption Key Manager (EKM) – Details

IBM operating Systems • i5/OS V5R3 and above • AIX V5R2 and above • System z operating

systems

EKM runs in Java on the following platforms:

Non-IBM operating Systems • Windows

• Linux • HP • Sun

How to get the latest copy of the EKM code:

•

Download from http://www-1.ibm.com/support/docview.wss?&uid=ssg1S4000504 How to get the IBM Java Runtime Environment (IBM JRE)

• For i5/OS: get the no-charge “IBM Developer Kit for Java” (5722-JV1)

• For other platforms – follow the links by platform from the EKM web site above to get either a code download, or to order the no-charge “IBM TotalStorage Productivity Center –

The Encryption Key Manager (EKM) – IMPORTANT

Disaster Recovery Site Primary Site

Run Multiple EKMs

(so backups can still run when one is down)

Comparable DR Site Gear

Export-Synch / Save Keys

• Export-Synch keys on all EKMs each time keys change • Keep offsite backup of EKM

Don’t Encrypt EKM

TEST YOUR RECOVERY CAREFULLY!

BRMS and Tape Encryption

BRMS and Tape Encryption

• In TS3500 and 3494, user needs to keep encrypted / non-encrypted media

inventories in synch between BRMS and Tape Library records • BRMS PTFs for “Encryption Awareness” on TS1120 drives will help SI24932 - V5R2M0 SI24933 - V5R3M0 SI24934 - V5R4M0 These PTFs provide a new Media Density for TS1120

“FMT3592A2E”

(the final E stands for “Encrypted”!) Media Class for Encrypted Tapes

(for TS1120 use density FMT3592A2E) Vol 4 Vol 5 Vol 6

Media Class for Regular Tapes (for TS1120, use Density FMT3592A2)

Vol 1 Vol 2 Vol 3

Scratch Encryption Policy Regular Volumes

Vol1 to Vol 3

Encrypted Volumes

Vol4 to Vol 6

Encryption – Getting Started

Careful Planning is required

• Encryption strategy

•

What data will / won’t be encrypted?

• Which encryption techniques should be used? • Which vendor should be selected?

• What other companies need to exchange data with us?

• Key management strategy

•

Which platform should run the EKM? Where should it be located? • What keys are required and how often will they change?

• What is the HA and DR strategy for the keys?

References – Encrypting Data in your Database/Application

ƒ i5/OS Information Center

– http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp

ƒ i5/OS Cryptographic Services APIs

– http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/apis/catcrypt.htm

ƒ Java Cryptography Extension (JCE)

– http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/rzaha/rzahajce.htm

ƒ System i cryptographic hardware: 4764/4758 Cryptographic Coprocessors

– http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/rzajc/rzajcco4758.htm

ƒ DB2 Column Encryption – Scalar Functions

– http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/db2/rbafzmstscale.htm

ƒ i5/OS Secure Sockets Layer (SSL)

– http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/rzain/rzainoverview.htm

ƒ i5/OS Digital Certificate Manager (DCM)

– http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/rzahu/rzahurazhudigitalcertmngmnt.htm

ƒ i5/OS Virtual Private Networking (VPN)

– http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/rzaja/rzajagetstart.htm

ƒ System i Performance Capabilities Reference contains crypto performance information

References – Tape Drive Encryption

ƒ TS1120/TS3500 Tape Encryption on System i – Whitepaper

– http://www.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/TD103557

ƒ IBM Encryption Key Manager Code and User’s Guide

– http://www-1.ibm.com/support/docview.wss?&uid=ssg1S4000504

ƒ IBM System Storage TS1120 Tape Encryption: Planning, Implementation and

Usage Guide - Redbook

– http://www.redbooks.ibm.com/redbooks/pdfs/sg247320.pdf

** This Redbook is currently being updated to include LTO4 encryption. Once done, the new title will be “IBM System Storage Tape Encryption Solutions”

This document was developed for IBM offerings in the United States as of the date of publication. IBM may not make these offerings available in other countries, and the information is subject to change without notice. Consult your local IBM business contact for information on the IBM offerings available in your area.

Information in this document concerning non-IBM products was obtained from the suppliers of these products or other public sources. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. Send license inquires, in writing, to IBM Director of Licensing, IBM Corporation, New Castle Drive, Armonk, NY 10504-1785 USA.

All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.

The information contained in this document has not been submitted to any formal IBM test and is provided "AS IS" with no warranties or guarantees either expressed or implied.

All examples cited or described in this document are presented as illustrations of the manner in which some IBM products can be used and the results that may be achieved. Actual environmental costs and performance characteristics will vary depending on individual client configurations and conditions.

IBM Global Financing offerings are provided through IBM Credit Corporation in the United States and other IBM subsidiaries and divisions worldwide to qualified commercial and government clients. Rates are based on a client's credit rating, financing terms, offering type, equipment type and options, and may vary by country. Other restrictions may apply. Rates and offerings are subject to change, extension or withdrawal without notice.

IBM is not responsible for printing errors in this document that result in pricing or information inaccuracies.

All prices shown are IBM's United States suggested list prices and are subject to change without notice; reseller prices may vary. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.

Any performance data contained in this document was determined in a controlled environment. Actual results may vary significantly and are dependent on many factors including system hardware configuration and software design and configuration. Some measurements quoted in this document may have been made on development-level systems. There is no guarantee these measurements will be the same on generally-available systems. Some measurements quoted in this document may have been estimated through extrapolation. Users of this document

The following terms are registered trademarks of International Business Machines Corporation in the United States and/or other countries: AIX, AIX/L, AIX/L (logo), AIX 6 (logo), alphaWorks, AS/400, BladeCenter, Blue Gene, Blue Lightning, C Set++, CICS, CICS/6000, ClusterProven, CT/2, DataHub, DataJoiner, DB2, DEEP BLUE, developerWorks, DirectTalk, Domino, DYNIX, DYNIX/ptx, e business (logo), e(logo)business, e(logo)server, Enterprise Storage Server, ESCON, FlashCopy, GDDM, i5/OS, i5/OS (logo), IBM, IBM (logo), ibm.com, IBM Business Partner (logo), Informix, IntelliStation, IQ-Link, LANStreamer, LoadLeveler, Lotus, Lotus Notes, Lotusphere, Magstar, MediaStreamer, Micro Channel, MQSeries, Net.Data, Netfinity, NetView, Network Station, Notes, NUMA-Q, OpenPower, Operating System/2, Operating System/400, OS/2, OS/390, OS/400, Parallel Sysplex, PartnerLink, PartnerWorld, Passport Advantage, POWERparallel, Power PC 603, Power PC 604, PowerPC, PowerPC (logo), Predictive Failure Analysis, pSeries, PTX, ptx/ADMIN, Quick Place, Rational, RETAIN, RISC System/6000, RS/6000, RT Personal Computer, S/390, Sametime, Scalable POWERparallel Systems, SecureWay, Sequent, ServerProven, SpaceBall, System/390, The Engines of e-business, THINK, Tivoli, Tivoli (logo), Tivoli Management Environment, Tivoli Ready (logo), TME, TotalStorage, TURBOWAYS, VisualAge, WebSphere, xSeries, z/OS, zSeries.

The following terms are trademarks of International Business Machines Corporation in the United States and/or other countries: Advanced Micro-Partitioning, AIX 5L, AIX PVMe, AS/400e, Calibrated Vectored Cooling, Chiphopper, Chipkill, Cloudscape, DataPower, DB2 OLAP Server, DB2 Universal Database, DFDSM, DFSORT, DS4000, DS6000, DS8000, e-business (logo), e-business on demand, EnergyScale, Enterprise Workload Manager, eServer, Express Middleware, Express Portfolio, Express Servers, Express Servers and Storage, General Purpose File System, GigaProcessor, GPFS, HACMP, HACMP/6000, IBM Systems Director Active Energy Manager, IBM TotalStorage Proven, IBMLink, IMS, Intelligent Miner, iSeries, Micro-Partitioning, NUMACenter, On Demand Business logo, POWER, PowerExecutive, PowerVM, PowerVM (logo), Power

Architecture, Power Everywhere, Power Family, POWER Hypervisor, Power PC, Power Systems, Power Systems (logo), Power Systems Software, Power Systems Software (logo), PowerPC Architecture, PowerPC 603, PowerPC 603e, PowerPC 604, PowerPC 750, POWER2, POWER2 Architecture, POWER3, POWER4, POWER4+, POWER5, POWER5+, POWER6, POWER6+, pure XML, Quickr, Redbooks, Sequent (logo), SequentLINK, Server Advantage, ServeRAID, Service Director, SmoothStart, SP, System i, System i5, System p, System p5, System Storage, System z, System z9, S/390 Parallel Enterprise Server, Tivoli Enterprise, TME 10, TotalStorage Proven, Ultramedia, VideoCharger, Virtualization Engine, Visualization Data Explorer, Workload Partitions Manager, X-Architecture, z/Architecture, z/9.

A full list of U.S. trademarks owned by IBM may be found at: http://www.ibm.com/legal/copytrade.shtml.

The Power Architecture and Power.org wordmarks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. UNIX is a registered trademark of The Open Group in the United States, other countries or both.

Linux is a trademark of Linus Torvalds in the United States, other countries or both.

Microsoft, Windows, Windows NT and the Windows logo are registered trademarks of Microsoft Corporation in the United States, other countries or both. Intel, Itanium, Pentium are registered trademarks and Xeon is a trademark of Intel Corporation or its subsidiaries in the United States, other countries or both. AMD Opteron is a trademark of Advanced Micro Devices, Inc.

Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries or both. TPC-C and TPC-H are trademarks of the Transaction Performance Processing Council (TPPC).

SPECint, SPECfp, SPECjbb, SPECweb, SPECjAppServer, SPEC OMP, SPECviewperf, SPECapc, SPEChpc, SPECjvm, SPECmail, SPECimap and SPECsfs are trademarks of the Standard Performance Evaluation Corp (SPEC).